/*
 * This file is part of dependency-check-core.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * Copyright (c) 2018 Steve Springett. All Rights Reserved.
 */
package org.owasp.dependencycheck.data.nodeaudit;

import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URISyntaxException;
import java.net.URL;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.List;
import javax.annotation.concurrent.ThreadSafe;

import org.apache.hc.client5.http.HttpResponseException;
import org.apache.hc.core5.http.ContentType;
import org.apache.hc.core5.http.Header;
import org.apache.hc.core5.http.HttpHeaders;
import org.apache.hc.core5.http.message.BasicHeader;
import org.json.JSONException;
import org.json.JSONObject;
import org.owasp.dependencycheck.utils.DownloadFailedException;
import org.owasp.dependencycheck.utils.Downloader;
import org.owasp.dependencycheck.utils.ResourceNotFoundException;
import org.owasp.dependencycheck.utils.Settings;
import org.owasp.dependencycheck.utils.TooManyRequestsException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.json.JsonObject;
import org.apache.commons.jcs3.access.exception.CacheException;

import static org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.DEFAULT_URL;

import org.owasp.dependencycheck.analyzer.exception.SearchException;
import org.owasp.dependencycheck.analyzer.exception.UnexpectedAnalysisException;
import org.owasp.dependencycheck.data.cache.DataCache;
import org.owasp.dependencycheck.data.cache.DataCacheFactory;
import org.owasp.dependencycheck.utils.Checksum;

/**
 * Class of methods to search via Node Audit API.
 *
 * @author Steve Springett
 */
@ThreadSafe
public class NodeAuditSearch {

    /**
     * The URL for the public Node Audit API.
     */
    private final URL nodeAuditUrl;

    /**
     * Whether to use the Proxy when making requests.
     */
    private final boolean useProxy;
    /**
     * The configured settings.
     */
    private final Settings settings;
    /**
     * Used for logging.
     */
    private static final Logger LOGGER = LoggerFactory.getLogger(NodeAuditSearch.class);
    /**
     * Persisted disk cache for `npm audit` results.
     */
    private DataCache<List<Advisory>> cache;

    /**
     * Creates a NodeAuditSearch for the given repository URL.
     *
     * @param settings the configured settings
     * @throws java.net.MalformedURLException thrown if the configured URL is
     * invalid
     */
    public NodeAuditSearch(Settings settings) throws MalformedURLException {
        final String searchUrl = settings.getString(Settings.KEYS.ANALYZER_NODE_AUDIT_URL, DEFAULT_URL);
        LOGGER.debug("Node Audit Search URL: {}", searchUrl);
        this.nodeAuditUrl = new URL(searchUrl);
        this.settings = settings;
        if (null != settings.getString(Settings.KEYS.PROXY_SERVER)) {
            useProxy = true;
            LOGGER.debug("Using proxy");
        } else {
            useProxy = false;
            LOGGER.debug("Not using proxy");
        }
        if (settings.getBoolean(Settings.KEYS.ANALYZER_NODE_AUDIT_USE_CACHE, true)) {
            try {
                final DataCacheFactory factory = new DataCacheFactory(settings);
                cache = factory.getNodeAuditCache();
            } catch (CacheException ex) {
                settings.setBoolean(Settings.KEYS.ANALYZER_NODE_AUDIT_USE_CACHE, false);
                LOGGER.debug("Error creating cache, disabling caching", ex);
            }
        }
    }

    /**
     * Submits the package.json file to the Node Audit API and returns a list of
     * zero or more Advisories.
     *
     * @param packageJson the package.json file retrieved from the Dependency
     * @return a List of zero or more Advisory object
     * @throws SearchException if Node Audit API is unable to analyze the
     * package
     * @throws IOException if it's unable to connect to Node Audit API
     */
    public List<Advisory> submitPackage(JsonObject packageJson) throws SearchException, IOException {
        String key = null;
        if (cache != null) {
            key = Checksum.getSHA256Checksum(packageJson.toString());
            final List<Advisory> cached = cache.get(key);
            if (cached != null) {
                LOGGER.debug("cache hit for node audit: " + key);
                return cached;
            }
        }
        return submitPackage(packageJson, key, 0);
    }

    /**
     * Submits the package.json file to the Node Audit API and returns a list of
     * zero or more Advisories.
     *
     * @param packageJson the package.json file retrieved from the Dependency
     * @param key the key for the cache entry
     * @param count the current retry count
     * @return a List of zero or more Advisory object
     * @throws SearchException if Node Audit API is unable to analyze the
     * package
     * @throws IOException if it's unable to connect to Node Audit API
     */
    private List<Advisory> submitPackage(JsonObject packageJson, String key, int count) throws SearchException, IOException {
        if (LOGGER.isTraceEnabled()) {
            LOGGER.trace("----------------------------------------");
            LOGGER.trace("Node Audit Payload:");
            LOGGER.trace(packageJson.toString());
            LOGGER.trace("----------------------------------------");
            LOGGER.trace("----------------------------------------");
        }
        final List<Header> additionalHeaders = new ArrayList<>();
        additionalHeaders.add(new BasicHeader(HttpHeaders.USER_AGENT, "npm/6.1.0 node/v10.5.0 linux x64"));
        additionalHeaders.add(new BasicHeader("npm-in-ci", "false"));
        additionalHeaders.add(new BasicHeader("npm-scope", ""));
        additionalHeaders.add(new BasicHeader("npm-session", generateRandomSession()));

        try {
            final String response = Downloader.getInstance().postBasedFetchContent(nodeAuditUrl.toURI(),
                    packageJson.toString(), ContentType.APPLICATION_JSON, additionalHeaders);
            final JSONObject jsonResponse = new JSONObject(response);
            final NpmAuditParser parser = new NpmAuditParser();
            final List<Advisory> advisories = parser.parse(jsonResponse);
            if (cache != null) {
                cache.put(key, advisories);
            }
            return advisories;
        } catch (RuntimeException | URISyntaxException | JSONException | TooManyRequestsException | ResourceNotFoundException ex) {
            LOGGER.debug("Error connecting to Node Audit API. Error: {}",
                    ex.getMessage());
            throw new SearchException("Could not connect to Node Audit API: " + ex.getMessage(), ex);
        } catch (DownloadFailedException e) {
            if (e.getCause() instanceof HttpResponseException) {
                final HttpResponseException hre = (HttpResponseException) e.getCause();
                switch (hre.getStatusCode()) {
                    case 503:
                        LOGGER.debug("Node Audit API returned `{} {}` - retrying request.",
                                hre.getStatusCode(), hre.getReasonPhrase());
                        if (count < 5) {
                            final int next = count + 1;
                            try {
                                Thread.sleep(1500L * next);
                            } catch (InterruptedException ex) {
                                Thread.currentThread().interrupt();
                                throw new UnexpectedAnalysisException(ex);
                            }
                            return submitPackage(packageJson, key, next);
                        }
                        throw new SearchException("Could not perform Node Audit analysis - service returned a 503.", e);
                    case 400:
                        LOGGER.debug("Invalid payload submitted to Node Audit API. Received response code: {} {}",
                                hre.getStatusCode(), hre.getReasonPhrase());
                        throw new SearchException("Could not perform Node Audit analysis. Invalid payload submitted to Node Audit API.", e);
                    default:
                        LOGGER.debug("Could not connect to Node Audit API. Received response code: {} {}",
                                hre.getStatusCode(), hre.getReasonPhrase());
                        throw new IOException("Could not connect to Node Audit API", e);
                }
            } else {
                LOGGER.debug("Could not connect to Node Audit API. Received generic DownloadException", e);
                throw new IOException("Could not connect to Node Audit API", e);
            }
        }
    }

    /**
     * Generates a random 16 character lower-case hex string.
     *
     * @return a random 16 character lower-case hex string
     */
    private String generateRandomSession() {
        final int length = 16;
        final SecureRandom r = new SecureRandom();
        final StringBuilder sb = new StringBuilder();
        while (sb.length() < length) {
            sb.append(Integer.toHexString(r.nextInt()));
        }
        return sb.substring(0, length);
    }
}
